What are Probe Packets? Probe packets are usually ignored (really, if you ask around, most people never heard of them), but almost everyone uses them. If you have ever used wireless Wi-Fi, then you have used them!Probe packets are packets that each device sends automatically, from time to time, searching all around to see if X-known network is nearby, so they can connect. All devices do this to all known networks as soon as we “turn on” the Wi-Fi.Even when we are connected to a network, since the wireless protocol says the device should connect to the best known signal, the device keeps cycling through all known networks, asking for them, to see if there is a better option nearby. Yes, even when connected, the device keeps broadcasting packets, searching for an X-named network.These types of packets (and many more) can be observed with several programs that allow us to put the network device in "monitor mode," like Airmon-ng, capturing packets all around.What Information Can We Extract From Probe Packets?This is where things start to get fun! Since the device broadcasts the probe packets all around, anyone can catch them and read them; it's public and legal to read them. For starters, we get the information of the X-named network being searched. We also get the information that Y device trusts X network. If the network has some geographical reference, we gain information on where Y device has been or where we can usually find it. With some programs, it's possible to correlate some names of the networks with GPS coordinates.We can also get a “profile” of the user of the device, knowing where he or she has been, what type of networks the user connects to, how many trusted networks he or she has, etc..Usually, devices with lots of public networks marked as trusted make easy targets for attackers, and users with lots of corporate networks make high-value targets, but there is more. Tons of information can be gained about the people around us just by reading the packets. We can even try to figure out which device belongs to which person nearby. If the network name contains names like personal or family names, we might even get an “extra bonus” for social engineering attacks.How Can Probe Packets Be Abused By an Attacker?Well, if all the information we broadcast that can help target us from multiple vectors wasn’t bad enough, the attacker might also use probe packets to get access to our information. The attacker simply has to copy the name of the trusted network (any of them), and create an access point with the exact same name (this can be done with a laptop or a router) and leave the password field blank. This way, when our device finds this “trusted network,” it automatically connects as in an Evil Twin attack. Such an attack is often successful because when we get an Internet connection, we usually don’t verify from where we got it. Since the attacker controls that network, he can now monitor everything we do. Even if he is connected to a real trusted network, if the attacker can get closer or improve the signal, our device automatically “jumps” to his controlled network, simply because he knows the name of the trusted network (thanks to reading probe packets).These types of packets can also be abused instead of attackers targeting one single user, just by finding the most common public network around (let's say one city population prefers A Brand to B Brand), copying the network name (found in probes) of the public network that A brand makes available, and just standing by waiting for users to pass by and connect to the fake "A Brand network." By reading probe packets, we can find the "local trend" and target the most available users.Conclusion Probe packets are usually ignored. Even lots of hackers ignore them because they're not exactly relevant for the attacks they plan to use, and they consider them useless (but they're not all!). The information we can gather with them is amazing if we spend time analyzing and correlating them.To avoid the kinds of above-referenced attacks to your information, the best options to go with are the following:
- Disable wireless access when not in use.
- Disable the network “connect automatically” option.
- Try to minimize the number of known/trusted networks.
- Avoid giving too much information on the network name.
